Talos Vulnerability Report

TALOS-2017-0300

October 26, 2017

CVE Number

CVE-2017-12607

Summary

An exploitable out of bound write vulnerability exists in the PPTStyleSheet::PPTStyleSheet functionality of Apache OpenOffice.
A specially crafted PPT file can cause an out of bound write resulting in arbitrary code execution.
An attacker can send/provide a malicious PPT file to trigger this vulnerability.

Tested Versions

Apache OpenOffice 4.1.3 x64
Apache OpenOffice 4.1.3 x86

Product URLs

CVSSv3 Score

8.3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

This vulnerability is present in the Apache OpenOffice (formerly OpenOffice.org) a free open source office suite.
A specially crafted PPT file can lead to an out of bound write and ultimately to remote code execution.

As we can see an attempt to write is made in an address range of the mapped file libsd.so, which results in an access violation because of the pages that contain this mapped file are set to read and execute permissions, but not write.
To understand why this vulnerability appears, we will look at the vulnerable function in the source code:

Next, we see that nLevelAnz is read at line 4384. According to documentation:

cLevels (2 bytes): An unsigned integer that specifies the number of style levels. It MUST be less than or equal to 0x0005.

but in our case its value is equal:

(gdb) n
4384 rIn >> nLevelAnz;
(gdb) p nLevelAnz
$9 = 65535 (0xffff)

We also see the following:

PPTParaLevel maParaLevel[ 5 ];
and
PPTCharLevel maCharLevel[ 5 ];

The lack of enforcement of the constraint that nLevelAnz must be less than 5 results in the vulnerability. The variables maParaLevel and maCharLevel are written to at lines 4393-4394. Our invalid value will cause nLev to be bigger than 4 in the loop, which will result in an out of bound write. This can then lead to arbitrary code execution.

Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.